Upload
yvon
View
55
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Proxy-Arp considered harmful. 2011-11-03 RIPE63 – EIX Working Group Wolfgang Tremmel Director Support [email protected]. Internet. 80.81.194.C/22. 80.81.194.A/22. 80.81.195.B/22. 80.81.193.E/22. 80.81.192.0/22. 80.81.192.D/22. - PowerPoint PPT Presentation
Citation preview
2011-11-03RIPE63 – EIX Working Group
Wolfgang TremmelDirector [email protected]
Proxy-Arp considered harmful
#3
Internet
80.81.192.0/22
80.81.194.A/22 80.81.195.B/22 80.81.194.C/22
80.81.192.D/22
80.81.193.E/22
Internet
#4
Internet
80.81.192.0/22
Internet
80.81.192.0/23 80.81.192.0/23 80.81.192.0/23
80.81.194.A/22 80.81.195.B/22 80.81.194.C/22
80.81.192.D/22
80.81.193.E/22
#5
Internet
80.81.192.0/22
Internet
Accepted:80.81.192.0/23
80.81.192.0/23
Accepted:80.81.192.0/23
blocked
80.81.194.A/22 80.81.195.B/22 80.81.194.C/22
80.81.192.D/22
80.81.193.E/22
#6
Internet
80.81.192.0/22
Internet
Accepted:80.81.192.0/23
80.81.192.0/23
Accepted:80.81.192.0/23
blocked
ARP-Request: Who has 80.81.193.1?
80.81.194.A/22 80.81.195.B/22 80.81.194.C/22
80.81.192.D/22
80.81.193.E/22
#7
Internet
80.81.192.0/22
Internet
Accepted:80.81.192.0/23
80.81.192.0/23
Accepted:80.81.192.0/23
blocked
ARP-Request: Who has 80.81.193.1?
No proxy-arp
80.81.194.A/22 80.81.195.B/22 80.81.194.C/22
80.81.192.D/22
80.81.193.E/22
#8
Internet
80.81.192.0/22
Internet
Accepted:80.81.192.0/23
80.81.192.0/23
Accepted:80.81.192.0/23
blocked
ARP-Request: Who has 80.81.193.1?
No proxy-arp Send Traffic for 80.81.193.1 to me!
80.81.194.A/22 80.81.195.B/22 80.81.194.C/22
80.81.192.D/22
80.81.193.E/22
• RFC 1027: „ Using ARP to Implement Transparent Subnet Gateways”
– 1987: A network with 100 hosts was considered large– Repeaters were common– Subnetting was „the new thing“– Proxy-Arp was a solution for connecting networks in which
hosts were not aware of subnetting• Proxy-Arp „on“ as default in Cisco IOS since version 9 at
least
• Do we still need this?
Proxy-ARP: a history
#9
• Before the incidend we only tested proxy-arp when new customers connected
• Configuration changes went unnoticed• Now:
– We test all connected customers for proxy-arp every 10 minutes
– In case we find one:• 24/7 support gets a message• Customer is notified• Customer port gets shut down• As soon customer confirmes he has turned off proxy-arp
he gets re-enabled
DE-CIX: Lessons learned
#10
Thank you
Join DE-CIX now!
DE-CIX Competence CenterLindleystrasse 1260314 Frankfurt/Germany
Phone +49 69 1730 902 - [email protected]
22. April 2023 – DE-CIX Management GmbH #11
DE-CIX Competence Center @ Kontorhaus Building
Frankfurt Osthafen (Docklands)